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MODE-TARGET GAMES: 

REACTIVE SYNTHESIS EOR CONTROL APPLICATIONS 
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Abstract. In this paper we introduce a class of Linear Temporal Logic (LTL) 
specifications for which the problem of synthesizing controllers can be solved 
in polynomial time. The new class of specifications is an LTL fragment that 
we term Mode-Target (MT) and is inspired by numerous control applications 
where there are modes and corresponding (possibly multiple) targets for each 
mode. We formulate the problem of synthesizing a controller enforcing an MT 
specification as a game and provide an algorithm that requires OfY. L.n,^) 
symbolic steps, where n is the number of states in the game graph, and ti is 
the number of targets corresponding to mode i. 


1. Introduction 

The results in this paper are developed under the correct-by-design philosophy 
for Cyber-Physical Systems (CPS) advocating control design methodologies that 
produce, not only the controller, but also a proof of its correctness. This design 
philosophy should be contrasted with the widely used design-and-verify approach 
under which a designer re-designs the controller to weed out the bugs that are found 
during multiple verification rounds. By placing greater emphasis and effort in the 
design phase it is possible to greatly reduce the verification efforts thereby reducing 
the design time and cost of complex CPS [SSJ HOI HIl 13] ■ 

The correct-by-design philosophy, however, is not without its own challenges and 
the purpose of this paper is to address one of the most critical: computational com¬ 
plexity. If one takes Linear Temporal Logic (LTL) as the specification formalism, it 
is known that synthesizing a controller enforcing such specifications is doubly expo¬ 
nential in the length of the formula. This led several researchers to seek fragments 
of LTL that are small enough for the complexity of synthesis to be lower, yet large 
enough to be practically relevant m El [a [ini EH US]. Among these, the one that 
had the biggest practical impact was the Generalized Reactivity (1) fragment, ab¬ 
breviated as GR(1), for which the controller synthesis can be solved in polynomial 
time in the size of the transition system l^. Even though the GR(1) fragment was 
not originally intended for control applications, several researchers demonstrated its 
usefulness to synthesize correct-by-design controllers in practical scenarios [151 El ■ 
Later, extending the ideas in |7], the Generalized Rabin (1) fragment was shown to 
be the largest class of LTL specifications for which the controller synthesis problem 
is still polynomial in the size of the transition system, unless P=NP nnj. 

In this paper, inspired by control applications, we introduce a new fragment of 
LTL termed Mode-Target (MT). An MT formula describes a setting where there 
are modes and corresponding targets for each mode. When the system is in a 
certain mode, the specification requires the system to reach one of the possible 
targets for that mode and stay there as long as the mode does not change. If the 
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mode changes, there is no obligation to reach or stay within the target region of 
the previous mode. We use MT formulas to define mode-target games, a subclass 
of LTL games. The winning condition of an MT game is an MT formula and, 
moreover, the game graph conforms to additional restrictions on the structure of 
the modes. We believe that modeling the desired behavior of control systems in this 
way, via modes and targets, is quite natural for designers. We support this claim 
in Section by giving three concrete examples from different application domains 
that illustrate the usefulness of MT games. The first example is an adaptive cruise 
controller, whose specifications are outlined by the International Standardization 
Organization (ISO). The second example builds on |ldj . where researchers from 
the Toyota Technical Center described the desired behavior for an air-fuel-ratio 
controller in signal temporal logic. The third example is the control of certain 
chemicals inside a nuclear power plant during shutdown and startup operations as 
outlined in m- We show that the controller synthesis problem for all of these 
examples can be posed as finding a winning strategy for an MT game. 

The contributions of this work can be summarized as follows: 


• We propose MT as a practically useful LTL fragment from a modeling 
perspective. Doing so, we extend an earlier version of this work where a 
more restricted class of formulas was introduced as MT formulas [6]. We 
provide three concrete control applications as an illustration of the large 
class of problems that can be naturally modeled as MT games. 

• We introduce the notion of simple games that abstracts the key properties 
of GR(1) and MT games so as to prove the correctness and complexity of 
the proposed algorithms in a transparent manner. In doing so, we pro¬ 
vide a new and simpler proof for the correctness and complexity estimates 
of the existing controller synthesis algorithms for GR(1) while highlight¬ 
ing the commonalities and differences between GR(1) and MT games. In 
particular, we show that MT games are also GR(1) games. 

• We propose an algorithm to synthesize controllers enforcing MT specifica¬ 
tions which requires symbolic steps where n is the number of 

states in the game graph and U is the number of targets corresponding to 
mode i. In contrast, the complexity of the algorithm resulting from embed¬ 
ding MT games into GR(1) games and using existing synthesis algorithms 
for the GR(1) fragment is 0{J2i where t is the largest number of modes 
across all the targets. Although these two complexity upper bounds coin¬ 
cide when the number of targets for each mode is the same, we empirically 
show in Section that the proposed synthesis algorithm still outperforms 
the synthesis algorithm obtained via the GR(1) embedding in this situation. 


The rest of the paper is organized as follows. In Section we review the syntax 
and semantics of LTL and introduce LTL games. We formally define MT games in 
Section]^ and illustrate their usefulness via examples from control. In Sectionwe 
present an algorithm for solving MT games. We then show in Section that every 
MT game can be formulated as a GR(1) game. This leads to an alternative solution 
for MT games via existing algorithms to solve GR(1) games. We experimentally 
compare the two algorithms for the solution of MT games in Section|^and conclude 
with Section [3 
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2. Preliminaries 

We start by reviewing the syntax and semantics of Linear Temporal Logic (LTL) 
and corresponding games. 

2.1. Linear Temporal Logic. Consider a set of atomic propositions P. LTL 
formulas are constructed according to the following grammar: 

(p p & P\^Lp\(p y ip\oif\piAip. 

We denote the set 2^ by E, where 2^ is the set of all subsets of P. An infinite word 
is an element of where denotes the set of all infinite strings or words obtained 
by concatenating elements or letters in E. We also regard elements w G E‘^ as maps 
w : N —)■ E. Using this interpretation we denote w{i) by Wi. In the context of LTL, 
the index i models time and Wi is interpreted as the set of atomic propositions that 
hold at time i. 

The semantics of an LTL formula (f is described by a satisfaction relation |= that 
defines when the string w G satisfies the formula (p at time z € N, denoted by 
w, i 1= p: 

• For p G P, we have w,i \= p ifSi p G Wi, 

• w,i \= —'p iff zu, z ^ p, 

• w,i\= pV \S w,i\= p or wfi\= 

• w,i\= Op iff zc, z + 1 \= p, 

• w,i \= pU there exists k>i such that w,k\= and for all i < j < k, 
we have w, j ^ p. 

We use the short hand notation p Atp, for ^{—•p V and True for -^p V p. 
We further abbreviate Truehl p as ()p which means that p eventually holds and 
^()^p by Dv?, which says that p always holds. We call the operators O, U, □, and 
0 temporal operators. 

We write W{p) to denote the set of all inhnite words which satisfy p, i.e., 
W{p) := {a G TP\<7 \= p}. We say that ipi and ^>2 are semantically equivalent, and 
write = z/’ 2 , if bF(V'i) = bF(V' 2 )- 

2.2. Games. A game graph is a tuple G = {V,E,P,L) consisting of: 

• A finite set V of states partitioned into Vq and Vi, i.e., V = Vg U Ui and 
Co n Ui = 0; 

• A transition relation E QV x U; 

• A finite set of atomic propositions P; 

• A labeling function L : V —>■ 2^ mapping every state in V to the set of 
atomic propositions that hold true on that state. 

In this definition, Vq and Vi are the states from which only player 0 and player 
1 can move, respectively. Thus, the state determines which player can move. We 
assume that for every state v GV, there exists some v' G V such that {v,v') G E. 
The function L can be naturally extended to infinite strings r G U“ by L{r) = 
L{ro)L{ri)L{r2 )... G E*^. 

A play r in a game graph G is an infinite sequence of states r = vqVi ... G C‘^, 
such that for all z > 0, we have {vi,Vi+i) G E. A strategy for player 0 is a partial 
function f : V* x Vq ^ V such that whenever /(r, v) is defined (z;, f{r, u)) G E. We 
denote the set of all plays under strategy / starting from state v by klf^y{G), and 
the set of all possible plays for a given game graph G by f2(G). For a given LTL 
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formula ip and a game graph G = {V,E,P,L), we use Wcip) as the short-hand 
notation for W^p) n L(il(G')). 

For the purposes of this paper, an LTL game is a pair (G, p) consisting of a 
game graph G, and a winning condition ip which is an LTL formula. A play r in 
a game (G, p) is winning for player 0 if L{r) G W{p). A strategy / for player 0 is 
winning from state v, if all plays starting in v which follow / are winning for player 
0. For a given game (G, p), Iv^Jg denotes the set of states from which player 0 has 
a winning strategy, this is the winning set of player 0. When it is clear from the 
context which game graph we are referring to, we drop the subscript and just write 

M- 

The sets from which player 0 can force a visit to a set of states V is denoted by 
Pre(W), i.e., 

Pre {V') = {n e Po I ^v'^v {v, v') G A} U {ri G Pi | (v, v') G E ^ v' G V'} 

We introduce the following fixed-point notation for a given monotone mapping 
F :2^ -)■ 2^: 

vXF{X) = C\iXi, where Aq = P, and, = F{Xi), and 
PlXF{X) = UiXi, where Aq = 0, and A^+i = F{Xi). 

In other words, vXF{X) and fj,XF{X) are the greatest and least fixed-point of the 
mapping F, respectively. 

In the rest of the paper, we abuse notation and sometimes use a set of states 
P' C P as an LTL formula. In this case V is to be interpreted as an atomic 
proposition that holds only on the states in P'. Whenever, P' defines an atomic 
proposition not in P, we can always extend P to contain V. However, for the sake 
of simplicity we will not explicitly do so. 

We call p a positional formula if it does not contain any temporal operators and 
a reachability formula li p = ()p for some positional formula p. We say that is a 
GR(1) formula if it has the following form: 

(1) A A 

il£ll 12^12 

for some positional formulas gi^ and finite sets Ii and R- We call games with 
winning conditions given as a GR(1) formula GR(1) games. We refer the reader to 
[7] for further details on GR(I) formulas. 

3. Mode-Target Games 

3.1. Motivation. As the automotive technology evolves, conventional cruise con¬ 
trol (GCC) is being replaced by adaptive cruise control (AGG). AGG has two modes 
of operation: the speed mode and the time-gap mode. In the speed mode, AGG 
behaves exactly like CCC, i.e., it reaches a pre-set speed and maintains it. The 
time-gap mode is what differentiates ACC from CCC. In this mode, ACC keeps 
pace with the car in front, the lead car. This pace is characterized by the headway, 
the quantity that captures the time required by the ACC equipped vehicle to break 
and avoid a collision when the lead car suddenly slows down. We consider the spec¬ 
ifications for ACC set by the International Organization of Standardization (ISO) 
in m- Following these specifications, the target region corresponding to the speed 
mode can be defined as G {?; : |t — WdesI ^ g}, where v, v^es and e„ denote the 
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velocity of the car, the desired velocity, and the allowable tolerance for the veloc¬ 
ity respectively. Similarly, the target region of the time gap mode is formalized as 
T G {t : \t — Tdesl < Ct}, where r is the headway, Tdes is the desired headway, and Cr 
is the desired tolerance for the headwayj^ In each mode, the specification is to reach 
and stay in the desired target region as long as the current mode does not change. 
We can express this specification as the conjunction of individual specifications for 
the time-gap mode and the speed mode, i.e., (/Jtimegap A y^speedi where: 


( 2 ) 

(3) 


^timegap ■— (Of-lfl^ftimegap 
V^speed ■— (Onfl^speed — 


OnUtimegap) 
()DTspeed) ■ 


Here, Mtimegap and M^peed are the atomic propositions that hold whenever the 
corresponding modes are active. Similarly, Ttimegap and Tgpeed are satisfied when 
T S {t : |t — Tdesl < Ct} and u S {n : ju — Udesl < ^v}, respectively. 

Implication ([^ only requires the time gap to be reached if the system enters 
and stays in the time gap mode forever. Hence, it seems that a controller may 
simply ignore the time gap mode if it knows that this mode will be eventually left. 
However, since we synthesize causal controllers, i.e., controllers that cannot foretell 
the future, any such controller will start driving the system to the time gap target 
once the system enters the time gap mode. Similarly, once the system leaves the 
time gap mode to enter the speed mode there is no need to reach the time gap mode 
anymore and the controller starts driving the system to the speed target. This is 
consistent with the ACC requirements in the ISO standard [12] that do not require 
a target to be reached once the corresponding mode is left. 

We now consider an engine control example: the control of a combustion engine. 
As the researchers in the Toyota Technical Center argued in [13], the specifica¬ 
tions for the air-fuel (A/F) ratio controller of an internal combustion engine can be 
naturally expressed in terms of modes and corresponding targets. We now summa¬ 
rize these specifications given in m- There are four different modes of operation: 
start-up mode, normal mode, power-enrichment mode, and fault mode. Only one 
of these modes is active at any given time. Furthermore, for each mode there is a 
required A/F ratio. The specification for the controller is to bring the A/F ratio 
to this target value and keep it there unless the mode changes. We compile the 
target A/F ratios corresponding to each mode in Table where Aref, and 
are the optimal A/F ratios for normal and “full throttle” driving conditions re¬ 
spectively. Defining the atomic propositions for modes and targets according to 
Table [l] we get the following LTL formula that captures the desired behavior: 

V^start-up A V^normal A 9^power A :/::fault: where 

^start-up ■— (OniHgtart-up ODTstart-up) : 

V^normal ■ (OnA/normal OdT/ormal) 5 

V^power :=(<}nMpower ^ ODTpower), 

V^fault := (ODAIfault Onifault) ■ 


^In addition to the mode-target behavior, m requires the headway to be kept above a certain 
value regardless of the mode and at all times. However, this is a simple safety specification for 
which a controller can be synthesized separately and composed with the mode-target controller 
afterwards. 
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Table 1. The modes and the corresponding target A/F ratios as given in m- 
In this table, Are /5 correspond to the optimal A/F ratios in normal and 

power-enrichment mode. The corresponding atomic propositions are written 
in parentheses. 


Mode 

Target A/F Ratio 

Start-up (Afgtart-up) 

Normal (Mnormal) 
Power-Enrichment (Mpower) 
Fault (Mfauit) 

[O.QAr-e/; l-lAref] (Tstart-up) 

[0.98Are/, 1.02Aref] (Tnormal) 
[0.8AP7,1.2AP7](Tp_) 

[O.QAref, l.lXref] (Tfault) 


Table 2. The modes and the targeted concentration of chemicals in each 
mode as given in m In parentheses, we provide the notation for the atomic 
propositions corresponding to each mode and target. 


Mode 

Target Chemical Content 

Start-up (Afgtart-up) 

Hot shutdown (Mhot) 

Cold shutdown (Mcom) 

Sodium < 0.1 mg/kg 
Hydrazine > 0.1 mg/kg (Tgtart-up) 

15cm3/kg <H 2 < SOcm^/kg (Thot) 

O 2 > 1 mg/kg (Tcold, w / oxy) 

H 2 > SONcm^kg (Tcold, w/o oxy) 


The last example we present is the control of a pressurized water reactoi0 during 
shutdown and start-up stages. Even though the chemical processes that take place 
in nuclear power plants are well studied under normal conditions, they are still yet 
to be fully understood in the presence of transient behaviors, particularly during 
shutdown and start-up. Therefore, it is important to ensure correct operation 
during these critical phases. In m, the authors document the specifications set 
by Electricite de France (EdF) for both of these modes of operation. Here we 
present a simplified version of these specifications. According to |27j . there are two 
shutdown procedures that can be followed based on the current temperature and 
concentration of the materials in the plant: hot shutdown and cold shutdown. In 
the hot shutdown mode, there is a target hydrogen concentration that must be 
achieved. In the cold shutdown mode, the shutdown can be performed with or 
without oxygenation depending on factors such as financial cost, risk, and specifics 
of the power plant. For both of these modes the control objective is to attain and 
sustain a certain chemical content in the reactor. Table summarizes these target 
chemical concentrations corresponding to each operation mode. Accordingly, in 
this case the LTL formula describing the desired behavior is v^start-up A :^coid A y>hot, 
which is conjunction of the specifications for the start-up mode, the hot shutdown 


pressurized water reactor is a type of nuclear power plant that constitutes the majority of 
nuclear power plants in Western countries, including the US. 
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mode, and the cold shutdown mode, where 

^start-up ■— (OD-^start-up -^ OD^start-up) : 

</5hot := (OnMhot ODThot) , 

</7coId := (ODAfcold (On'Tcold, w/ oxy V OD'Tcoid, w/o oxy)) • 


3.2. Mode-Target Formulas and Games. The preceding examples illustrate 
the scenarios that we want to capture with a suitable LTL fragment. All of the 
control problems we just described share the following properties that define our 
setting: 

(PI) There are modes and corresponding targets. 

(P2) If the system enters a mode, it should reach one of the targets associated with 
that mode and remain there. 

(P3) If the mode changes, there is no obligation to reach any of the targets of the 
previous mode anymore. 

We also make the following observation regarding the dynamics of the modes: 
(P4) There is at most one mode active at any given time. 

With these properties in mind, we now formally define mode-target formulas and 
games. For a game to be a mode-target game, its winning condition must be given 
by a mode-target formula and the corresponding game graph should have a specific 
structure capturing (P1)-(P4). 

Let T and M be finite sets of atomic propositions: T = UiT^ and 
M = {Ml, M2, ... Mm}, where Here, the M^, repre¬ 

sent the mode I, and target of mode i respectively. We start with a game graph 
G labeled with modes and targets, i.e., G = (F, if, M U T, L) where L : F —)■ 2^^'^. 
The winning condition for player 0 is given by a mode-target formula. 


Definition 1 (Mode-Target Formula). An LTL formula is a mode-target formula 
if it has the form 

We can interpret ip as: if the system eventually settles in Mi, then it should 
eventually settle in one of the modes in Ti. This formula captures (P2) because it 
guarantees that the system will reach one of the target regions in Ti if the system 
stays in mode Mi from a certain time onwards. As we explained previously, the 
left-hand side of the implication in ensures that if the mode changes, the system 
does not have to reach or stay in any of the corresponding targets of the previous 
mode, as asserted by (P3). It is true that p can also be satisfied by switching 
between modes infinitely often. However, as it is the case in the ACC, A/F ratio, 
and pressurized water reactor examples, the modes can be partially if not fully 
determined by an external signal that the controller cannot change. In these cases, 
by construction, the controller will make progress towards the target of the current 
mode since it cannot predict if the system will remain in the current mode or switch 
to a different mode. Also note that for the ACC and A/F ratio control examples 
each Ti is simply a singleton, since there is only one target region that can be 
reached for all modes. This is not the case, however, for the pressurized water 
reactor control example. 


m / 

(4) (p:=/\|onM, 
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To address (P4) we make the following assumption on the modes: 

(A) Modes are mutually exclusive, i.e., Mj S L{v) Mj ^ L{v), Vj ^ i,\lv & V. 

Definition 2 (Mode-Target Games). We call LTL games with winning condition 
given by a mode-target formula and a labeling function L that satisfies (A), mode- 
target games. 

Note that, a mode-target game is a Streett game [33] with additional structure 
imposed by the assumption (A) on the labeling function. 

4. Solving Mode-Target Games 


4.1. Decomposition of the Winning Set. We start by introducing a few notions 
that are critical to understand the solution of MT games described in this section. 

Let Si C E* and S '2 G E* U E*^. We define the concatenation of these sets as 

S 1 S 2 ■= {cr G E* U E'^jcr = cricr 2 , cri € ^i, tT2 G -S' 2 }. 

A property $ is a subset of E*^. The set of suffixes of a property 4) is denoted by 
Post(4>), i.e., Post(4>) := {cr' G E'^ltrcr' G 4*, for some a G E*} . A property 4> is an 
absolute liveness property iff E*4> C 4>. We call tp an absolute liveness formula if 
W{if) is an absolute liveness property. A formula tp is an absolute liveness formula 
iff (/? = (}ip (see [33]). It follows that any formula of the form (}(p, for some (p is an 
absolute liveness formula. 

We now introduce a class of games that includes both GR(1) games and MT 
games. The definition of this class of games distills the properties that are essential 
for a simple and transparent derivation of its solution. 


Definition 3. An LTL game {G,ip) is said to be simple if the winning condition 
defined by ip can be written as: 

(5) :/? = □ A Ti, Ti = OPi V 'ipi, 

i^I 

where pi is a positional formula and is an absolute liveness formula that satisfies: 

(6) WciA) C W{ip). 


□ 


Lemma 1. Every GR(1) game is a simple game. 

Proof. See Appendix [B] 

The proof of Lemmarelies on showing that any GR(1) formula can be written 
in the following form: 


(7) 


□ A V on-au )) • 
\ / / 


The formula in Q satisfies the properties required by the winning condition of 

simple games given in M and (l6|, where gi^ is the positional formula pi and 

/ 1-r i-r 

V is Ai- The inclusion in Q is also fulfilled since we have 


w [ V oa^aA cwlla A [09^. V [ V 0 °- 

\ilG/i / V \ 126/2 V \ilG/i 




Lemma 2. Every mode-target game is simple. 
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Proof. See Appendix [C| 


□ 


We prove Lemma by showing that every MT formula can be written as: 

m / / ti 

(8) dA V y Oa{M, A Tij) 

i=i \ 

Note that Q is in the form defined by ([^ and where the positional formula pi 

ti 

is -^Mi and formula tpi is V A Tij). 

i=i 

The winning condition for simple games can be written as a conjunction of 
formulas pi preceded by □ where each pi can be decomposed as a disjunction 
between a reachability formula and a formula ■!/) satisfying We now show that 
it is easy to modify algorithms that synthesize winning strategies for reachability 
games to obtain an algorithm for a conjunction of reachability formulas preceded 
by □. The approach in this algorithm remains valid even when we disjoin these 
reachability formulas with absolute liveness formulas tpfs, in virtue of (§. The 
inclusion given in (§ ensures that a play in (Gji/ji) that is winning for player 0, is 
also winning in (G,ip). Therefore, one can adopt a compositional approach to the 
solution of simple games. A small modification to an algorithm that computes 
leads to an algorithm computing [□/\-gj The next result makes these ideas 
precise. 

Theorem 3. The winning set for player 0 in a simple game (G, p) is given by 

(9) |(/3] =1^2 f] ftpi V 0(pi A oZ)\ . 

iGl 

Proof. See Appendix]^ □ 



The proof of the first part of Theorem follows the existing methods for con¬ 
structing winning strategies for Generalized Biichi games [3], in which the winning 
condition is given by 

(10) A = ° A 


for some subset of states Bi C V . The winning condition we are interested in, 
given in (§, is slightly different from the one given in ( |l0| ) due to the additional 
tpi term. However, inclusion ([^ ensures that any play that is winning for {G,'ijji) 
is also winning for (G, p). Hence, by simply computing vZ Hig/ IV'i V (){pi A oZ)\ 
we can obtain a winning strategy for player 0 in a simple game. Moreover, this 
strategy can be seen as the composition of the strategies for games with the simpler 
winning condition tpiV (){pi AOZ). 

Theorem|^shows how the structure of simple games makes it possible to combine 
the sets ftpi V Opil as in Q to compute the final winning set. In particular, we 
conclude that modularity observed in the solution of GR(1) games is not due to the 
structure of GR(1) formulas but rather to the structure of simple game formulas. 
Hence, this structure can be leveraged beyond GR(1) games as we did for MT 
games. Note how Theoremdescribes the solution to both GR(1) and MT games. 
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For later reference we instantiate © for MT games: 

m 

(11) lifi =uz Pi 

and explain in the next section how to compute the winning sets 


Y 0n{M, A r,j) V Oi^Mi A oz) 

i=i 


( 12 ) 


Y 0a{M, A r,j) V 0(-M, A OZ) 


1=1 


so as to make use of 0- Note that if we instead instantiate ([^ for the GR(1) 
formula Q we obtain 


(13) 


"2 n 

^2^/2 


Y V 0(^ffi2 ^ 

il6A 


The structures of the fixed-point expressions given in (13) and (11) are very 
much alike, but not the same. While in GR(1) games for each 12 G I 2 , i.e., for each 
guarantee, the same persistency property is required to be satisfied (Vi^ G7i0n= Oil), 
in the case of MT games, the persistency part of the specification depends on the 
current mode, i.e., the index i, as in (11) A Tij)). 


4.2. Computation of the Winning Set. In [14], Kesten, Piterman and Pnueli 
presented a /i-calculus formula which characterizes IVig/OQpi V ()ql, where Pi and 
q are positional formulas. This /i-calculus formula yields the following fixed-point 
expression: 


(14) 


pY IJ (uX(Pre(X) n |pi]) U |g] U Pre(y)). 


iGl 


Using (14) it is easy to see that the winning set 0 is given by the following 
fixed-point: 

(15) 

/ m ti \ 

M = uZ P /iZ IJ (uX(Pre(X) n fM, A T,J) U (|=Mil n Pre(Z)) U Pre(y)) ) . 


A=i 1=1 




We refer to the algorithm defined by the iterative computation of the preceding 
fixed-point as the MT algorithm. In the worst case, the MT Algorithm can take 
iterations, where ti is the number of targets dedicated to mode i and n 
is the number of vertices in the game graph G. We summarize this in the following 
theorem. 


Theorem 4. Mode-target games can he solved by the symbolic algorithm MT re¬ 
quiring 0{J2’^^tin^) Pre computations. 


Proof. In |8] Browne et al. show that a fixed point expression with alternation 
depth k can be computed in 0 (nLi+^/ 2 J) iterations. Note that given a fixed-point 
expression the alternation depth is simply the number of alternating greatest and 
least fixed point operators. 

The alternation depth of the fixed-point expression (15) is three. Moreover, 
the computation of the fixed-point involves sequentially evaluating ti fixed-point 
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expressions for each mode, which results in O (X^I^i Pre computations in the 
worst case. □ 


Theorem Q only addresses the computation of the winning set for the controller. 
However, the fixed-point computation given in (151 is constructive in the sense that 
we can find a winning strategy by storing the intermediate sets that are computed 
during its evaluation. The precise construction and implementation of the winning 
strategy follows the same approach as in GR(1) games [7]. For the sake of com¬ 
pleteness we provide the details of the winning strategy synthesis in Appendix [E| 
Note that contrary to the winning strategy for GR(1) games, the winning strategy 
for MT games is memoryless since player 0 only needs to know what the current 
mode is. 


5. Solving Mode-Target Games via GR(1) Games 

In this section, we describe how to transform a given MT game into a GR(1) 
game, thereby obtaining another algorithm to solve MT games that is based on the 
existing synthesis algorithms for the GR(1) fragment. To simplify the notation in 
the next proposition we introduce the atomic proposition Ti j defined by: 

1 false otherwise. 


Proposition 5. Every MT game with game graph G is equivalent to the GR(1) 
game {G,(p), where 


( maxi ti 

/\ DO (-M, V-T,,,- 
Proof. See Appendix]^ 




^j=l 


□ 


The proof of ( [16[ ) has two main steps. In the first step, we show that the MT 
game is equivalent to the GR(1) game {G,ipi), where 


m maxi ti 


(17) 


Ti = V V on (Mi A Tij) V A OO^Mi 


\i=l 1 = 1 


'vi=l 


The equivalence of (G, ip) to the MT game relies on assumption (A). Also note that 
the formula in is satisfied either when the system settles down in a mode and in 
one of the corresponding targets or when it toggles between the modes indefinitely, 
which matches the initial motivation of the MT fragment. Since the formula given 
in 0 is a GR(1) formula with ti assumptions and m guarantees, this part of 
the proof already leads to a synthesis algorithm for MT games. In the second part 
of the proof we showj^how to construct a GR(1) game with fewer assumptions that 
is equivalent to (G, <pi) and for which the statement of Proposition]^ holds. Again 
assumption (A) lies at the heart of the proof. This assumption restricts the modes 
to be mutually exclusive and therefore enforces additional structure on MT games. 


which lets us simplify the formula in (17). 


^This part of the proof is based on a comment we received from an anonymous reviewer of the 
preliminary version of our results presented in [6]. 
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The formula given in (16) is a GR(1) formula with max^ assumptions, and m 
guarantees. Notice that this formula has at most the same number of assumptions 
as (/3i since mmax^ti < Due to Propositionwe can now simply apply 

the algorithm given in [7] to the game graph G with the winning condition (16) to 
solve the MT game. This algorithm is based on the computation of the following 
fixed-point: 

(18) 

( m I maxi ti \ \ 

n^y[ u uX(Pre(X) A TiJ)uPie{Y) U(|^M,] n Pre(Z)) jj . 

We refer to the algorithm defined by the iterative computation of the preceding 
fixed-point as the GR(1)-Emb algorithm for GR(1) Embedding. In the worst 
case, the GR(1)-Emb algorithm can take 0(mmax^ iterations, where m is 
the number of modes in the MT formula, ti is the number of targets dedicated to 
mode i, and n is the number of vertices in the game graph G. This follows from 
the fact that solving GR(1) games according to the fixed-point computation in [7] 
takes 0{nangn^) symbolic steps where Ug is the number of guarantees and Ua is 
the number of assumptions. Then, the bound 0(m max^ follows from the fact 
that Ua = max. ti and n„ = m as in (16). 


The following result summarizes the discussion in this section. 


Theorem 6. Mode-target games can be solved by the symbolic algorithm GR(1)- 
Emb requiring O(mmaxitin^) Pre computations. 

Proof. Similar to the proof of Theorem this result follows from the fact that 
the given fixed-point expression is of alternation depth three. Moreover, in each 
iteration of the algorithm we sequentially compute m max^ ti fixed-point expressions 
which results in 0{mmaxitin'^) Pre computations in the worst case. □ 


Comparing the complexities of the MT and the GR(1)-Emb algorithms as 
given in Theorem and Theorem we get 

(19) O tj <o(jnmaxtin^ 


Although the GR(1)-Emb and the MT algorithms compute the same winning 
set, the MT algorithm has better worst case complexity than the GR(1)-Emb 


algorithm. Moreover, the equality in (19) holds iff 


( 20 ) 


ti = maxti for all£ S {1, 2,... m}. 


i.e., if the number of targets associated with each mode is equal. In this special 
case, assuming the number of targets for each mode to be t, the fixed-point that 
needs to be computed for the GR(1)-Emb algorithm is 


( 21 ) 


I m t \ 

nzif]^lY\J (uX(Pre(A) n A TiJ) U([-M,l n Pre(Z)) U Pre(y)) 


G=i i=i 
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while for the MT algorithm the fixed-point computation given in (151 becomes 

( 22 ) 


m t 


pZ I f| /xF U (pX(Pre(X) n [M, A T,J) U n Pre(Z)) U Pre(y)) . 

0=1 i=i / 


As can be seen from (21) and (22), even in this special case where the two different 


approaches have the same worst-case complexity, the computations performed by 


GR(1)-Emb and MT differ. While the fixed-point expression (22) has 
TgjJ for every mode index i, the fixed-point in (221 replaces this set with |Mi AT^j] 
for each i. Since |Mi AT^J C AT^j] for all i and j, due to the monotonicity 

of the given fixed-point operator, the MT algorithm performs no worse than the 
GR(1)-Emb in terms of number of iterations. Moreover, for a given i and j, in 
order to compute the fixed-point in the variable X, the algorithm MT only requires 
the storage of the set fMi A T^j] instead of A T^j]. This suggests that 

the algorithm MT might also have better space complexity. To investigate these 
differences in practice, we provide in the next section an experimental comparison 
of two implementations for each of the two algorithms presented in this paper: 
GR(1)-Emb, and MT. 


6 . Experimental Comparison 


The winning set and a corresponding winning strategy can be computed by 
iterating the operators on the right hand sides of (15) and ([T^ until a fixed-point 


is reached. We can improve the time efficiency of a direct implementation of this 
iteration by using two important ideas from the literature. In m , the authors make 
the following observation: if one wants to compute the largest (smallest) fixed-point 
of an operator and one already knows a set that contains (is contained in) this fixed- 
point, then the largest (smallest) fixed-point computation can be started from this 
value instead of E (0). By using this idea, the authors showed that the complexity 
of their computation does not depend on the number of fixed-point operators but 
rather the number of such fixed-point alternations, i.e., alternation depth. Taking 
the same idea a step further, in [8], by exploiting monotonicity, the authors point 
state that one can use the intermediate values of the sets to initialize the fixed-point 
computations. This method also leads to improved time efficiency, but now with the 
cost of the requirement to store the value of intermediate sets that are not necessary 


for the computation of the final fixed-point. However, as mentioned in Section 4.2 


the construction of the winning strategy depends upon these intermediate values. 
Therefore, in our experiments we use the method described in [8], since the extra 
memory allocation is partly unavoidable when the desired end product is a winning 
strategy, and not just the winning set. 

In this section, we discuss the experimental time and memory usage of algorithms 
GR(1)-Emb and MT. We present three sets of experiments. The first two are 
designed to compare the performance of the two algorithms in different scenarios, 
while the last one demonstrates a concrete application of the MT fragment in the 
design of the ACC example described in Section [63| 


6.1. Random Linear Time-Invariant Systems -with Multiple Targets. We 

start with the simplest class of dynamical systems: linear time-invariant systems. 
We demonstrate how the performance of the two algorithms differs as the theoretical 
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worst-case gap between the GR(1)-Emb algorithm and MT algorithm deepens. 
To this end, we consider a scenario where all modes but one have a single associated 
target. For this remaining mode, starting from a single target we gradually increase 
the number of associated targets in order to accentuate the difference between the 
two sides of the inequality in We provide the descriptions of all mode and 

target sets in Appendix]^ In Fig. we summarize our findings for the case when 
we have three, six and nine modes. We plot in Fig. [^the ratio between the number 
of iterations it takes for the GR(1)-Emb algorithm versus the MT algorithm to 
compute the winning set. In Fig. |Ib| we compare the two algorithms in the same 
fashion, but now in terms of the elapsed time. Each data point represents the 
average value we obtained after computing the winning set on 20 random linear 
time-invariant systems. All systems have the form x = Ax + Bu, where the entries 
of the matrices A and B are randomly chosen from the set [—1,1]. The state space 
and the input space are the sets [— 6 , 6 ] x [— 6 , 6 ], and [—4,4], respectively. As can 
be seen from both figures, MT outperforms GR(1)-Emb, and the performance 
difference becomes progressively more prominent as the number of extra targets 
and modes increase. 



(a) The ratio of number of iterations of (b) The ratio of elapsed time until conver- 
GR(1)-Emb to MT. gence of GR(1)-Emb to MT. 


Figure 1. Comparison of the algorithms GR(1)-Emb and MT when there 
are multiple targets corresponding to one of the modes. 


6.2. Unicycle Cleaning Robot. We consider a scenario where a unicycle robot 
cleans the rooms on a hotel floor. The robot has to reach one of the rooms that is 
not clean and stay there, until an external signal indicates that the current room 
has been cleaned. We now explain how we model this scenario as an MT game. 
Assume that there are two rooms, defined by the atomic propositions Tf and T 2 . 
Each mode-target pair corresponds to a different subset of rooms that need to be 
cleaned. Specifically, Mi, M 2 , and M 3 indicate that only the first room, only the 
second room, and both of the rooms need to be cleaned, respectively. Accordingly, 
the MT formula corresponding to this scenario is: 

(ODMi ^ onri)A(onM2 ^ onT2)A(onM3 ^ (odti vodts)). 
Note that, if there are k rooms, the number of modes is 2^ — 1. 
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true true true 



Figure 2. Mode dynamics for the cleaning robot, when there are two rooms 
(Mi: only room 1 is not clean, M 2 : only room 2 is not clean, M 3 both rooms 
are not clean). 


We first construct the game graph corresponding to the dynamics of the cleaning 
robot. The differential equations: 

X = V cos( 6 *), y = V sin( 6 *), 9 = uj, 

offer a simplified model for a 3-wheel robot equipped with differential drive. The 
pair {x, y) € denotes the position of the robot, 9 S [—tt, 7 r[ denotes its orientation, 
and {v,uj) G are the control inputs, linear velocity v and angular velocity to. 
For this example we restrict the position (the location of the rooms) to the set 
[1, 7.5] X [1, 7.5], input to the set [0,0.5] x [—0.5, 0.5] and create an abstractioij^ using 
the PESSOA [TB] tool. This abstraction is stored as an Ordered Binary Decision 
Diagram [I] (OBDD) and constitutes the game graph describing the dynamics of 
the cleaning robot. It has 21141 vertices or states and 6 inputs that are available 
at each state. 

We now describe the dynamics of the modes. When the robot is in room i that 
has not yet been cleaned, the mode can change to the mode where the room i does 
not need to be cleaned anymore. The nondeterminism in this change models an 
external signal indicating whether the cleaning in the current room has been com¬ 
pleted or not. When all the rooms are cleaned, a nondeterministic mode transition 
can occur to any other mode to restart the process. In Fig. we illustrate the 
dynamics of the modes when there are two rooms. As can be seen, there is a nonde¬ 
terministic transition from M 3 to M 2 as the robot enters the room 1 (Ti). Similarly, 
if the system is in Mi (only room 1 is not clean), when the robot reaches room 1 , 
the system can take a nondeterministic transition to any of the other modes, i.e., 
we restart the cleaning process once all the rooms are cleaned. 

To obtain the final game graph describing the dynamics of both the modes and 
the cleaning robot, we compose the game graph describing the modes and the game 
graph describing the dynamics of the robot. Note that, the second player in this 
game arises due to the conservative nature of the abstraction, as explained in |24j . 
and the nondeterminism in the mode changes, both of which can be modeled as an 
adversarial disturbance. 

We compare the performance of the GR(1)-Emb, and the MT algorithms as 
we increase the number of rooms from 2 to 5. The rooms are boxes of various 


^The parameters used for the abstraction were rj = 0.25, = 0.5, and r = 0.5. An explanation of 

the meaning of these parameters is given in m- 
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dimensions defined as: 


Ti = 

[1 3] X [1 2.5] 

T 2 = 

[1 3 ] X [3 5 ] 

T 3 = 

[3.5 5.5] X [3 5.5] 

T 4 = 

[3.5 5.5] X [1 2.5] 

T 5 = 

[6 7.5] X [2 5] . 


Fig. [3] summarizes our findings. Fig. and Fig. illustrate that, as the 
number of rooms increases, the gap between the performance of the algorithm MT 
and the algorithm GR(1)-Emb increases significantly both in terms of number 
of iterations of the fixed-point algorithms as well as the computation time. Note 

k 

that, when there are k rooms we have, mmax^ ti = ( 2 * — l)fc, and ti = ^ ( )^- 

i=i 

Therefore, the widening of the performance gap is expected, since as the number 
of rooms increases, so does the difference between the worst case time complexities 
of GR(1)-Emb and MT. In terms of memory usage, GR(1)-Emb does slightly 
worse than MT as expected, but the performance difference is not significant. 



(a) The number of iterations until conver- (b) Elapsed time until convergence for the 
gence for the algorithms GR(1)-Emb and algorithms GR(1)-Emb and MT. 

MT. 


Figure 3. Comparison of the algorithms GR(1)-Emb and MT on the clean¬ 
ing robot case study for varying number of rooms. 


6.3. Adaptive Cruise Control (ACC). The last example demonstrates the use¬ 
fulness of the MT fragment by applying it on the ACC design problem that we 
detailed in Section]^ We model the dynamics of the ACC equipped vehicle by a 
hybrid system with two discrete states which specify whether there is a lead car 
or not. The continuous states describe the evolution of the velocity of the ACC 
equipped vehicle (v) as well as the velocity of the lead car (ul), and the distance 
to the lead car (h) whenever there is one. The net action of braking and engine 
torque applied to the wheels {F^j) is viewed as the control input and is assumed 
to satisfy the bound —0.3mg < < 0.2mg, where m is the mass of the ACC 

equipped vehicle and g is the gravitational constant. Via PESSOA, we constructed 















MODE-TARGET GAMES: 


REACTIVE SYNTHESIS FOR CONTROL APPLICATIONS 17 



Figure 4. The winning set computed by the MT Algorithm. 


a discrete abstraction of this hybrid system, which together with the dynamics of 
the modes constitutes the game graph of the MT game. The abstraction contains 
over 1.5 million states. We refer the reader to [19] for the details of the construction 
of this abstraction and a complete description of the corresponding hybrid model. 
The winning condition of the game is the conjunction of the safety specification 
(/^safety with the MT formula v^speed A (/Stimegap, where 

V^safety = ^ [t ^ Tgafe]; 

(23) ^speed = (OniVfspeed ^^[Ucles ^vi'^des : 

^timegap = (OnMtimegap ' ' ^^[Tdes Cx,Tdes T ^r]) ■ 

The values of the parameters appearing in ( |2^ are Tgafe = 1 s, Udes = 25 m/s, e„ = 
1) Ldes = 1-6, and = 1. Note that the additional safety formula, ipsafety, can be 
handled separately by first synthesizing a safety controller and then composing this 
controller with a controller synthesized solely for the MT formula, <^speed A y)timegap ■ 

In Figure]^ we present the winning set computed via the MT Algorithm. As 
can be seen, the domain does not contain the points where h, the headway, is small 
and V, the velocity of the ACC vehicle, is high, since there is no sequence of control 
inputs to maintain a safe headway starting from these states. We simulated the 
MT controller on CARSIM, an industry standard car dynamics simulation package, 
for the following scenario: at time t = 0 s, a lead car is present driving below the 
desired speed Udes = 25 m/s of the ACC car, then leaves the lane at t = 3 s, allowing 
the ACC car to reach and attain its desired speed. At t = 13 s, a new lead car 
cuts in 30 m in front of the ACC car and starts decelerating. This means that 
the ACC car should slow down in order to increase the headway. Fig. [^presents 
the behavior of the MT controller. Notably, all constraints, which are indicated by 
green lines, are satisfied throughout the simulations. For a detailed discussion on 
hardware implementation of the MT controller and further experimental results, 
we refer the reader to m- 

The different experimental results suggests the following: (1) MT is consis¬ 
tently better than GR(1)-Emb. Even for the case when the theoretical worst 
case complexities of both algorithms are the same, MT outperforms GR(1)-Emb. 
However, the performance increase is not always considerable in this case; (2) there 
is no significant difference in the memory usage between MT and GR(1)-Emb al¬ 
gorithms; (3) as the gap between max, ti and widens, so does the performance 
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Figure 5. Simulation results in CarSim of the PESSOA controllers. The plots 
show, from top to bottom, velocities, headway, time headway, and applied 
control input. Grayed areas indicate that the system is in specification mode 
Mtimegap- Dashed green lines indicate target sets, solid green indicate safety 
sets. 


difference between GR(1)-Emb and MT, which is in accordance with the results 
in Section [4^ 


7. Conclusions 

We introduced a new class of LTL games called mode-target games and argued 
that these games can be used to model a variety of control design problems en¬ 
countered in practice. We provided two algorithms to solve MT games. The first 
algorithm is based on transforming MT games to simple games, a class of LTL 
games for which we provide a synthesis algorithm. This leads to an algorithm that 
solves MT games in a number of steps polynomial in the size of the game graph. We 
next provided a different algorithm, that relies on the fact that every MT game can 
be embedded into a GR(1) game. We also showed that the direct algorithm has bet¬ 
ter worst case complexity than the algorithm obtained via the GR(1) embedding. 
These observations were validated through multiple simulations. As future work, 
we plan on investigating whether additional structure arising in control problems 
can lead to further simplifications both in MT games as well as other LTL games. 
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Appendix A. Preliminary Lemmas 


A property $ is a stable property iff Post($) C i.e., if $ is closed under 
suffixes. We call tp a stable formula if W{(p) is a stable property. It is proved in 
[22] that a formula is a stable formula iff = p>. Then it follows that any 
formula of the form □</>, for some ^ is a stable formula. Moreover, the conjunction 
of stable formulas is also a stable formula. Take two stable formulas pi and ip 2 \ 
then ipiAif 2 = A 'Onp 2 = A which is a stable formula. Also recall that 
a property $ is an absolute liveness property iff S*<i> C $. We call p an absolute 
liveness formula if W {(p) is an absolute liveness property. 

Lemma 7. Given the formulae p>i and Lp 2 , if we have Wg(,Pi A ip 2 ) = 0; then the 
following holds: 

Wci^Pl V ip2) = Wg{^P>i)- 


Proof. 

Wg{-^Pi V (^ 2 ) 


WGif-^Pi A (^ 2 ) V {-^tpi A -^p}2) V {(pi A (P 2 )) 
WGif-^Pi A (^ 2 ) V A ^(/?2)) 

Wg{-^Pi). 


□ 


Lemma 8. Given the sets of LTL formulae Ui^i{'ipi}, and a game graph 

G, if for all i G I we have Wg (ipi A VjG 7 \{i} V'i] = 0) then the following holds: 



Wg 




Proof. The following holds: 



d) 


( 2 ) 


Wg 


Wg 



V Y lAi I 
jeAfd / 



U Wg 



V Y 

ieAfd 



= Wg 




where = follows from the fact that Vi G I, Wg (fPi A VjG/\{i} ~ Lemmaj^ 

while = follows from the inclusion Wg (Aig/ ^ Wg V ipi)) . 

□ 
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Lemma 9. Given a stable formula ip, and a winning strategy f for player 0 in 
we have |(p] = V*, where V* := 'i-e-, the set of all 

states visited under the strategy f. 

Proof. We note that it suffices to show V* C |(^]. The other direction is immediate 
due to the definition of V*. Note that since v? is a stable formula, it is closed under 
suffixes. This means that any strategy / that is winning for (G, tp) is winning for 
(G, □|(/5]) as well. Therefore, any play r S „(g) always stays inside the 

set Iv?], hence V* C |(^], and the result follows. □ 

Lemma 10. Let p and q be positional formulas, then 

□(Op V on?) = nOp V on?- 


Proof. 


□(Op V on?) = n(0(p V □?)) = □0 (p v □?) 

(2) O') 

y nop V non? = nOp v on?, 


where = holds since Opi V 0<P2 = 0(<Pi V p 2 ),and = is true because nO(pi V <^ 2 ) = 

(3) 

□Opi V □0<P2- Finally, = follows from nOn? = On?- 

□ 


Lemma 11. Let p and q be positional formulas, then 


(Onp 


on?) = (onp on(pA?)). 


Proof. 

(Onp ^ on(p A ?)) = (onp ^ (onpAOn?)) 
= (^(onp) V (onp A on?)) 

= (-(onp) V onp) A (-(onp) v on?) 

= True A (^(OHp) V on?) = (Onp on?), 

( 1 ) 

where = holds because V distributes over A. 


□ 


Appendix B. Proof of Lemma 1 


Given a GR(1) formula ip, the following holds: 




= V on-a, V /\ no?., ^^ □ A (( V ] V 09^■. 

ilGll 12^12 \ \* 1^-^1 / 


where = follows from very similar arguments to those in the proof of Lemma [l^ in 
Appendix]^ Note that Vi^g/jOn^ai^ implies p, i.e., W (Vi^g/jOn^ai J C W{ip). 
Therefore, p = □ (Aj^g/^OPis V V’iJ, where V'ia := Vi^g/iOn^aij, for all 12 S h, 
which completes the proof of the lemma. 
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Appendix C. Proof of Lemma [2] 


(p = /\ I ODM, ^ Y I s /\ I DO-M, V V On(M, A 

i=i \ j=i j i=i \ j=i 


( 2 ) 


10 


and 


y □ /\ O-M, V Y oa{M, A T,,,) 

i=l \ j=l 

(1) . I I . (2) 

where = is due to Lemma |11[ while = follows from Lemma 

□(/Ji A □(/J2 = A (p2)- 

The last formula has the form given in the statement of the lemma, where pi 
is -^Mi and is A Tij). Then, we are only left with showing that 

Woi^i) C Wg{p). 

Recall that in MT games for all z; S P, if Mi £ L{v) then Mj ^ L{v) for all j ^ i. 
It follows that for any r £ we have: L(r) |= L{r) ^ for all 

j ^ i. Moreover, note that W{()D^Mj) C W{D()^Mj). Therefore, the following 
holds: 

(24) 

Wb Y Oa(Mi A T,j)\ C y ^ 0-M,j where = {1,2. m}\ (i) 


c»r|n( A ()^Mi V Y On(Af^ A Tij) 

{fGAi i=i 


Also note that 


(25) 


Wg I Y ^ ] QWgI do-m, V Y on(M, A r,.,) 

vi=i / V i=i 

= VLg (□ (V Y oa{M, A T,,,) 


where the last equality is due to Lemma 10 


By combining the inclusions (25) and (241 we get 

Wg I Y 0O(M, A T,.,) I c ITg [ □ X ( V Y 0O(M, A r,,j) 

Vi=i / \ \ 

which completes the proof of the lemma. 

Appendix D. Proof of Theorem [3] 

Let Z* = vZ n |z/ii y (){pi A oZ)\. We start by proving Z* C [□ A^g/ ipi\. We 
i&I 

make the following observation: 
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This suggests that a strategy that visits all pi’s in a circular fashion is winning 
for player 0. We pick the visiting order piP2 ■ ■ - Pi ■ ■ ■P\I\^ since it is enough to find 
one winning strategy. Therefore, whenever a play visits a state that satisfies pi 
player 0 should be able to switch to a strategy that is winning for the game with 
the winning condition {)Pi+i(mod| 7 |)- Next, we explain that this is in fact possible 
on Z*. 

The game starts at a state in Z*. Player 0 follows the strategy that is winning 
for the game V 0(Pi A oZ*)), from Z*. If the game reaches a state v G |pi], 

then player 0 forces a visit to Z*. After that player 0 starts following a strategy that 
is winning for the game with the winning condition: ' 0 i+i(mod| 7 |) V (}{pi+i(mod\i\) A 
oZ*). This switching is possible since Z* C V 0(^7 A oZ*)\, for all i G I. The 
circular switching can be implemented using a counter, with |/| states. 

Due to the disjunction of the reachability part of the formula with i/ji, it is true 
that a play that follows the above strategy can be winning for {G,tjji) for some 
i G I, instead of {G,()pi) for some i G I. However, since we assumed that for each 
i G I, ipi is an absolute liveness formula, and Wc{ipi) C W (□ A^g/ (pi), even in this 

case the play is winning for □ /\ Therefore, Z* C [□ A^g/ (pi\. 

iei 

Now, we show that the other direction, i.e., [□ A^g/pi] C Z*. To show that 
!□ Aig/Pi] C Z*, it is sufficient to show [□ Aig/pi| C F(|nAig 7 Pi|), where 
F{Z) := Rig/ IV'i V 0(Pi A oZ)\ (see e.g. [IS]). Since □ Aig/ pi is a stable formula, 
we can invoke Lemma with p = □ Aig/ pi and conclude that 

!□ A,g/p,| =F*, 


where V* = Urgn„,AG) 

[□A,g/p,| = H* C f| 1(7/-, V OPz) A □H*| 
i^I 

c nK^*vo(ftAoH*)i, 

i&I 

( 1 ) 

where C follows from the definition of V *, since it includes all states visited under 
the winning strategy for player 0 in (G, p). We just proved that V* C F{V*). Note 
that, for any S C V we have S C F{S) S C Z* due to [15]. This shows that 
V* = !□ Aig/ Pi] C Z*, which completes the proof. 


Appendix E. Strategy Synthesis 

Recall that a strategy is a partial function f : V* x Vq ^ V such that when¬ 
ever f{r,v) is defined, {v,f{r,v)) G E. We next construct a memoryless strategy 
f : Vq ^ V based on a set of edges that can be computed from the intermediate 


results obtained when computing the fixed-point in (15|. 

We start with some additional notation. We use Y^to denote the set computed 
at the iteration of the following fixed-point computation over V: 

fiY [ IJ uA(Pre(A) n [M, A T,.,]) U(hM,| n |p|)UPre(r) | . 
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Similarly, denotes 

pX(Pre(X) n [M, A U H^M^j n M) U Pre{Y*^)). 

To simplify the construction of the strategy, without loss of generality we assume 
that the modes are exhaustive, i.e., Ui|Mi] = V. For each mode M^, where 
fee {1,2,..., m}, we define the set of edges Ek '■= U i?fc ,2 such that: 

Ek,i = [j{{v,v')€E\v€Y:^ y:<^ av'& , 

e>i 

tk 

^F2 = U U S ^ e n Wk A n,j} A V ^ Xlf* Av'G Xf* I , 

3 = 1 I 

where Y^"^^ = IJ and = IJ X^^*. E^^i corresponds to the transi- 

0<i<^ ’ 0<i<k 

tions, that player 0 can force the game to make progress towards a state in I^M^J 
or a state that will not leave \Mk A T/tj] forever for some j. The edges in Ej ^2 are 
the transitions, where the game is at a state in |Mfe A TkjJ, and player 0 can force 
the game to stay in |Mfc AT^ j] but cannot force it to make progress towards a state 
in I^Mfc]. Note that player 0 still wins by always taking the transitions in Ej 2 since 
even if there is no progress towards the game stays in |Mfc A Tfcj] forever 

as well. As a final step, we use of edges Ek to define / : |(/3] —>• F as /(tq) = v', 
where vq G G |<p] and {vo,v') G Ek, which completes the construction of 

the winning strategy. 

Appendix F. Proof of Proposition [5] 

We prove this proposition in two main steps. In the first step, we show that 
every mode-target game can be transformed into an equivalent GR(1) game. 

Let (G, (fi) be a mode-target game. Then the following holds: 

m f ti \ ^ I 

(26) <^ = A 0°^* V = A 0°^* V 0n(M, AT,,,) 

i=l \ 3 = 1 j i=l \ 3 = 1 

Let (fii = 0n(Mi A Ti) and (}D(Mi A Tij). Since the modes are 

mutually exclusive, i.e.. Mi G L{v) Mj ^ L{v), Vj ^ i and Vu G V, the 

following holds: 

(27) M^g(<AzA V !/>, =0,Wg/. 

V *eA{i} / 

Then due to Lemmaj^we get: (p = ODAfi VUi ViLi (>0{Mi A A,,)^ . 

Next we show: 

Wg (VZi ODM, vr=i VAi OW A T,,,)) 

= Wg (vZi ^ V7=T ‘‘ on a t,,,)) 

where T),,- = T^,,- if j < ti and T),,- = false, otherwise. 
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The inclusion: 


Wg{^) C ITg I V 0°^^ ^ y OO V™ 1 (M, A T,,,) 

i-1 


, 2=1 


m ti max^ ti m _ 

is immediate since V V A Tij) = V V (}0{Mi A Tij) and 

2 = 1 J =1 ^=1 

maxi ti m _ maxi ti _ 

V V ()\2{Mi A Tij) implies V <>□ V™ ^ (M^ A Tij). To show the other di- 

j=i i=i j=i 

rection, we start with the following observation. Suppose r G V^, and let / be a 
finite index set. Then the following semantic relation holds: 


(28) 


L(r) h □ ^ h V V V A 


iGl 


iGl 


JCI, jGJ 
|J|>1 


where each pi is a positional formula. Note that this follows from the fact that 
any word satisfying □ Vig/ pi should either always stay in one of the pi’s forever, 
and hence satisfy Vig/Dpi or shuffle between at least two different p^’s, i.e., satisfy 
y JCI /\,^jO()pj. Let I := {1,2, ...m}. We are now ready to show the other 
|,7|>i 

direction as follows: 


/ m maxi ti m _ \ 

Wg V OOM, y ooy(M, A 

yi=i i=i / 

(1) / maxi ti m _ max^ ti m _ 

QWgI V V On(M,AT,,,) V V V V A □0(A^.Ar,,j) V A no-M, 

V 3 = 1 i=l 3 = 1 i=lJCI^,sGJ i=l 

|.7|>1 

(2) / m maxi ti _ \ 

c Wg V V OOiM, A A,A V A no-M, , 

Vi=l i = l i=l / 


d) 

where C follows from the inclusion given in (28), distributivity of 0 with respect 
to V and the syntactic equivalence 


0 /\ ao{Ms A r,,A = /\ ao{Ms,j a t,,, 


s G«/ 


s G«/ 


Due to the disjointness of modes we have WG{Mi) C WG(^Mj), Vj A A 
( 2 ) 

therefore C follows from the fact that V A □0(Tfs AT^j) implies A™ 

JC7„,sGJ 

|J|>i 

Therefore we have: 


(29) Wg(<p) = Wg I V 0°^* =a V 0° V™ i ^ | • 

1 3 = 1 


This completes the proof since we can rewrite the formula on the right hand side 
of the equality (29) and get the equality in (16). 
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Appendix G. Description of The Mode and Target Sets in Section 16.11 


for num_of_extra_targets=0 : 2 :10 
while (loop_counter_aux<=3) 

% Continuous dynamics (linear) 

a0=-l; 

b0=l; 

%create matrices where each element is between -1 and 1 
systeml_cont.A= (bO-aO).*rand(2,2) + aO; 
systeml.cont.B=(bO-aO).*rand(2,1) + aO; 

for num_of-modes= [3 : 3 : 9] 

num.of-target s=num_of .modes+num_of_extra_t ar gets-1; 

mode-set-man{l}=[-5 -3.25;-l 2]; 
mode_set_man{2}=[-2 0.2;1 4]; 
mode-set-man{3}=[3 6;-2 -0.25]; 
mode-set-man{4}=[-5 -2.5;3.25 5]; 
mode_set_man{5}=[3.5 5;0 2.5]; 
mode-set-man{6}=[0 2;4.5 6]; 
mode-set-man{7}=[-2 0;-2 -1.25]; 
mode_set_man{8}=[-2 0;-l 0.5]; 
mode-set-man{9}=[0.25 2;-l 0.5]; 
mode-set-man{l0}=[0.7 2;1.5 4]; 
mode_set_man{1l}=[3.5 5;-6 -3]; 
mode-set-man{l2}=[-6 -3;-6 -3]; 
mode-set-man{13}=[0.25 2;-6 -3]; 
mode_set_man{l4}=[3 6;3 6]; 
mode-set-man{l5}=[-2 0;-6 -3]; 

P = randperm(15,num.of .modes); 

a0=0.75; 

b0=0.8; 

target.r = (bO-aO).*rand(1,1) + aO; 

%center of the mode sets 
for i=l: num.of.modes 

mode-set-center{i}=mode-set{i} (:,!) + ( (mode.set}!} ( :, 2) ... 
-mode.setfi}(: , 1) )/2); 

%first initialize numb of targets per each mode to 1 
num.of-tar gets .per .mode {i}=l; 

end 

%the last mode has extra targets 

num_of-targetS-peruTiode{num_of-modes} = num_of-extra-targets+ . . . 
num.of-target s .per .mode {num.of .modes }; 

%targets 

for i=l: num.of.modes 

%target set is a subset of the mode set 

target-set{i}=[mode-set-center{i}-((mode.set{i}(:,2)- ... 
mode.set { i} (:,1) )/2)*target.r. . . 
mode.set.center(i} + ( (mode.set{i} ( :, 2) - . . . 
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mode-set{i}(: , 1) )/2)*target.r] ; 

end 

%scaling 
al = 0.9; 
bl = 0.3; 

%offset 
a2 = -0.4; 
b2 = 0.4; 

for ii=l: num_of-extra-targets 

%choose a subset of the mode set 
target-r = (bl-al).*rand(1,1) + al; 
target-shift = (b2-a2).*rand{2,2) + a2; 

target_set{num_of_modes + ii}= [mode_set_center{fMode}- . . . 

( (mode_set{fMode }{: , 2 ) -mode_set{fMode}{: , 1) )/2) *target_r . 
mode.set .center{fMode}+((mode_set{fMode} , 2 )- . .. 
mode_set{fMode }(:, 1))/2)*target_r]+target_shift; 

end 

end 

end 

end 
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